Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encode select options #555

Merged
merged 2 commits into from
Nov 27, 2017
Merged

Encode select options #555

merged 2 commits into from
Nov 27, 2017

Conversation

barryvdh
Copy link
Contributor

Options are not encoded correctly.

@claar claar merged commit 7d16463 into formers:master Nov 27, 2017
@barryvdh barryvdh deleted the patch-5 branch November 27, 2017 14:53
@barryvdh barryvdh restored the patch-5 branch November 27, 2017 14:53
@claar
Copy link
Member

claar commented Nov 27, 2017

Much appreciated -- thanks @barryvdh

claar added a commit that referenced this pull request Jan 2, 2018
@claar
Revert "Encode select options (#555)"
53327a6 
This commit broke existing behavior; select options containing "<" for example are
were incorrectly encoded as HTML entities.

This reverts commit 7d16463.
@claar
Copy link
Member

claar commented Jan 2, 2018

I had to revert this due to backwards compatibility. This commit incorrectly converts characters in select labels such as < into HTML entities like &lt;, which is undesirable and breaks past behavior.

@barryvdh Can you speak to the original goal of this PR?

@barryvdh
Copy link
Contributor Author

barryvdh commented Jan 2, 2018

I think the use-case was XSS, for example a dropdown with user names like Barry<script>alert('xss')</script>

@claar
Copy link
Member

claar commented Jan 2, 2018

Hmm.. I'm unsure how Former could protect against <label>Barry<script>alert('xss')</script></label> while also providing a mechanism for having a literal > in the label.

I could be mistaken, but it seems that Former can't help here?

@barryvdh
Copy link
Contributor Author

barryvdh commented Jan 2, 2018

I'm not 100% sure, but I think it was when using a model query/collection as input, so not really easy to manually escape (or at least not really expected to be outputted raw), not sure what is best though.

@hillelcoren
Copy link

What about adding an encode method to Former::select to opt-in to the new behavior?

ricardosierra added a commit to SierraTecnologia/former that referenced this pull request Jun 16, 2020
@ricardosierra
Merge branch 'master' of github.com:formers/former
78f33c6 
* 'master' of github.com:formers/former: (47 commits)
  Support Laravel 7
  Fix errors when using rules in validation array
  Add tests
  Fix errors when using rules in validation array
  Laravel 6 support (formers#591)
  Adds correct checkbox input class when is a checkbox (or radio) (formers#590)
  Encode checkbox value to prevent XSS attack (formers#584)
  Fix the Bootstrap 4 help blocks
  Fix tabs vs spaces :)
  Fix Bootstrap 4 validation messages not being colored red
  Fix the error state for Bootstrap 4
  Fix TwitterBootstrap4 blockHelp
  Add default TwitterBootstrap4 config
  Adding support for Bootstrap 4 (formers#577)
  Add Choice field type
  Add field modifiers to store moethod signature metadata and postpone framework classes until render time
  Checkable allow setting inline, stacked, grouped via boolaen attribute
  Allow setting required via boolean attribute per formers#571
  Update README.md
  Revert "Encode select options (formers#555)"
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@barryvdh @claar @hillelcoren